ID: 29652
Comment by: rvs at angara dot ru
Reported By: yannick at agl dot fr
Status: Open
Bug Type: OCI8 related
Operating System: Linux Redhat 7.3
PHP Version: 4.3.7
New Comment:
Also note that PHP 5 has similar code for OCIEnvNlsCreate() and frees
environment handle (OCI_HTYPE_ENV) only at shutdown.
So the problem seems to be in PHP 5 also.
Sergei V. Rozinov
Leading RISC-Systems engineer
JSC Sibron, RUSSIA
Previous Comments:
------------------------------------------------------------------------
[2004-09-15 13:59:10] rvs at angara dot ru
I have the same error on php4.3.8/ora9.2.0.1.0/Solaris 9/sparc.
Some details: the .msb file descriptors grow in the following cases:
A. using ocinlogon()
B. using ocilogon() and working as a Apache module
C. using oci*logon() with invalid credentials.
The following code of case "C" may exhaust filedescriptor limit very
easily and quickly.
for ($i=0; $i < 200; $i++)
@ocilogon($i, $i, $db);
After extensive researching I've found that:
1. the .msb file openings occur when OCIEnvNlsCreate() is called.
2. in ext/oci8.c,v 1.183.2.12 line 2257, function _oci_open_session()
the OCIEnvNlsCreate() invoked when session is not persistent, not
cached, or is exclusive.
3. if the session setup is unsuccessful, the environment handle is not
freed.
4. the environment handle is freed only when PHP shuts down, see line
613.
The result will be filedescriptor and memory leakage in all cases A,B,C
mentioned above. This could lead to security/DOS problem for websites
which use ocilogon()/ocinlogon() or passthrough Oracle authentication
in their php scripts.
Recommendations, workaround:
1. in module mode, avoid using ocilogon(), use ociplogon() instead.
2. avoid using Oracle pass-through authentication (i.e. when username
and password for ociplogon() is given from the website user).
3. fixing oci8.c code to free env handle at least after unsuccessful
logon is necessary.
With regards,
Sergei V. Rozinov
Leading RISC-Systems engineer
JSC Sibron, RUSSIA
------------------------------------------------------------------------
[2004-08-23 16:19:59] yannick at agl dot fr
oci library: 9.2.0.3
------------------------------------------------------------------------
[2004-08-23 16:08:47] esartoni at omniaglobal dot net
Hey Yannick, could you please tell us what version of oci libraries are
you using?
With php 4.3.8 using oci 8.1.7.0.0 i have no problem at all.
------------------------------------------------------------------------
[2004-08-20 14:43:46] yannick at agl dot fr
i tried with 4.3.8 without HAVE_OCI_9_2
there is no problem. if i defined HAVE_OCI_9_2 the issue occurs.
------------------------------------------------------------------------
[2004-08-20 10:26:00] yannick at agl dot fr
tested with php 4.2.3 and php 5.0.1, there is no problem
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/29652
--
Edit this bug report at http://bugs.php.net/?id=29652&edit=1
